Make secure cookie settings conditional on non-development mode #2937
Description
PR #2933 introduced secure cookie settings (HttpOnly, Secure, SameSite) in setOauthCookie to fix a CodeQL SAST warning. While these settings are correct for production, they break local development when the control plane is not running behind HTTPS (e.g., accessed via a non-localhost address).
The Secure flag requires HTTPS, which is not available in the default development setup.
Proposed fix: make Secure, HttpOnly, and SameSite conditional on whether the system is running in development mode. Development mode is determined by server.Version == "dev" (the default value, overridden at build time for releases). When in dev mode, these flags should be omitted or relaxed so local OAuth flows continue to work.
Affected code: app/controlplane/internal/service/auth.go — setOauthCookie function.